The State of Higher Ed InfoSec Awareness Programs

As we observe National Cyber Security Awareness Month this October, let's take a few minutes to review the state of higher ed information security awareness programs and the professionals who run them. In May, the SANS Institute released the 2017 Security Awareness Report, its third annual report on the state of security awareness based on a survey of over a thousand information security training and awareness professionals. The research explores the state of information security awareness and training programs across various industries, including the "educational sector." The 2017 SANS report shares the overall results of its research. However, due to large survey participation from the educational industry (n = 148),1 SANS shared anonymized data results with the EDUCAUSE Cybersecurity Program so that we could specifically report on the state of information security awareness and training programs in the education sector.2 This blog shares some of the most interesting findings from our research.

Budgets, FTE, and Time...Oh My!

Much like the results from last year, budgets, staff, and time continue to be in short supply (or even shrinking when it comes to staff size) for higher ed information security awareness programs (see below figures comparing 2016 and 2017 results). Being short on resources is nothing new for higher ed information security professionals, and the community often shares its best practices for thrifty awareness campaigns. Since time is at a premium for most higher ed information security awareness professionals, 57% of respondents noted that they will conduct their 2017 campus awareness activities in an ad hoc manner, depending on the time and resources available to them.

Figure 1. Security awareness training budgets 2016 (n = 74) and 2017 (n = 148)
Figure 1. Security awareness training budgets 2016 (n = 74) and 2017 (n = 148)
Figure 2. Security awareness team size 2016 (n = 74) and 2017 (n = 148)
Figure 2. Security awareness team size 2016 (n = 74) and 2017 (n = 148)
Figure 3. Percentage of time devoted to security awareness activities 2016 (n = 74) and 2017 (n = 148)
Figure 3. Percentage of time devoted to security awareness activities 2016 (n = 74) and 2017 (n = 148)

Executive Support and Maturity…Moving On Up!

Survey results from the SANS 2017 Security Awareness Report show that, despite limited resources, awareness activities seem to enjoy strong executive support and increasing maturity. In fact, nearly 3% of higher ed respondents reported having more executive support than they need for their institutional awareness activities. SANS has indicated that executive support matters for information security awareness program success.3 If this is indeed the case, it could be that the 2017 increase in executive support is related to the 2017 increase in information security program maturity, where a majority of security awareness practitioners said that their programs are promoting awareness and behavior change (57% versus 41% in 2016) and only 7% of respondents indicated a nonexistent program (versus 17% in 2016).

Figure 4. Level of executive support 2017 (n = 148)
Figure 4. Level of executive support 2017 (n = 148)
Figure 5. Information security awareness program maturity 2017 (n = 148)
Figure 5. Information security awareness program maturity 2017 (n = 148)

Your Friendly Higher Ed Information Security Awareness Professional

In this year's survey, SANS asked a number of demographic questions about information security awareness professionals. These questions were designed to better understand how these professionals come into their information security awareness roles. For the education sector, information security awareness professionals tend to be male (64% male, 30% female, 5% prefer not to answer); have been in their role for more than two years (59%); and come from IT backgrounds (57%). Like the overall findings reported by SANS, the results from the education sector show that full-time information security awareness professionals tend to be female.4

Figure 6. Percentage of time devoted to security awareness activities 2017, by gender (n = 148)
Figure 6. Percentage of time devoted to security awareness activities 2017, by gender (n = 148)
Figure 7. Time in current information security awareness role (n = 148)
Figure 7. Time in current information security awareness role (n = 148)
Figure 8. Role before becoming involved in information security awareness (n = 148)
Figure 8. Role before becoming involved in information security awareness (n = 148)

Summary

The 2017 SANS report remarked, "Security awareness is hard."5 This year's results for the education sector certainly indicate some areas in which running a program may be challenging (e.g., time and resources). But the results also give us reason to be optimistic (e.g., executive support, improving maturity, and seasoned professionals in the primary awareness role).

Notes

  1. We thank EDUCAUSE members for their participation and SANS for its contribution of data to our understanding of higher education information security awareness and training programs.
  2. See Joanna L Grama and Eden Dahlstrom, "Higher Education Information Security Awareness Programs," research bulletin (Louisville, CO: ECAR, August 8, 2016).
  3. SANS Institute, 2017 Security Awareness Report: It's Time to Communicate, May 2017, 18.
  4. Across all industry sectors, those individuals serving in a full-time information security awareness role are twice as likely to be female (Sans Institute, 2017 Security Awareness Report, 20).
  5. SANS Institute, 2017 Security Awareness Report, 24.

Joanna Lyn Grama is the director of cybersecurity and IT GRC programs at EDUCAUSE.

Valerie M. Vogel is senior manager of the cybersecurity program for EDUCAUSE.

© 2017 Joanna Lyn Grama and Valerie M. Vogel. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.